903968 - CSP Inline Script or Style logging has no line numbers, if caused by a script

Status: NEW

(Core :: DOM: Security, defect, P3)

Description

[Frederik Braun [:freddy]]

When I cause an inline script violation to be thrown (by a simple inline script tag) the error console has line numbers.

But when a whitelisted JavaScript file adds inline JavaScript through document.write/innerHTML the offending JS is logged - but *without* line number of the offending script that causes the violation.

This becomes very hard to debug when dealing with long third-party script libraries.

Comment 1

[Frederik Braun [:freddy]]

Attachment: wip test

This is just a test and still wip. I have yet to figure out how to probe the web console for the extra info

Comment 2

[Boris Zbarsky [:bzbarsky]]

What line number do you expect, exactly?  The line number of the DOM manipulation that (possibly indirectly) led the inline script tag to try executing?

Comment 3

[Frederik Braun [:freddy]]

Yeah, basically. That doesn't sound like an easy thing to do, right? ;)

Comment 4

[Boris Zbarsky [:bzbarsky]]

Not easily, no....

Comment 5

[Firefox Bug Husbandry Bot]

https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.

Comment 7

[Daniel Veditz [:dveditz]]

from bug 1540257 comment 0

1. Open Console https://firefox-devtools-csp.glitch.me/image
2. Check the CSP error location

Firefox: image:1:1, wrong, (default location for errors?)
Chrome: image:11, correct line in JS